The proliferation of networked electric vehicle (EV) charging stations in- tegrated with utility grid control systems introduces cyber-physical attack surfaces whose consequences extend far beyond individual devices. This pa- per presents the first empirical analysis demonstrating how protocol-level vulnerabilities in Open Charge Point Protocol (OCPP) implementations en- able telemetry falsification with quantifiable downstream impact on Super- visory Control and Data Acquisition (SCADA) systems and Automated De- mand Response (ADR) mechanisms. We develop a formal threat model for OCPP communication security and demonstrate a multi-layer man-in-the- middle (MITM) attack against the EVerest open-source charging framework, exploiting the absence of end-to-end message authentication through coor- dinated ARP cache poisoning, DNS spoofing, and TLS interception. Our attack achieves real-time manipulation of charging telemetry with config- urable amplification factors, creating phantom grid loads of 64.8 kW per compromised Level 2 charger under 10× falsification. We ground our im- pact analysis in IEEE 2030.5, OpenADR 2.0, and NERC frequency response standards to quantify how falsified telemetry propagates through Distribu- tion Management Systems (DMS), demonstrating that compromise of as few as 11 chargers on a typical suburban feeder can trigger erroneous demand response actions. We propose a defense-in-depth architecture spanning net- work, transport, application, and semantic validation layers that achieves complete attack prevention with less than 10 ms additional latency. Experi- mental validation across 50 controlled trials on a representative testbed con- firms reliable attack success against unprotected systems, while the proposed defense layer independently prevents exploitation. Analysis of OCPP 2.0.1 security profiles reveals specification gaps that persist even in compliant im- plementations and motivates concrete protocol evolution recommendations.
Ntib et al. (Thu,) studied this question.